On additive differential probabilities of the composition of bitwise exclusive-or and a bit rotation

TL;DR

This paper investigates the properties of additive differential probabilities in ARX cryptographic primitives, focusing on maximums, symmetries, and impossible differentials of compositions involving XOR and bit rotations.

Contribution

It provides new insights into the maximum additive differential probabilities, symmetries, and impossible differential patterns for XOR and rotation compositions in cryptography.

Findings

Maximums of adp^{XR} are identified for specific rotations and fixed input differences.

Symmetries of adp^{XR} are characterized.

All impossible differentials are described and their counts estimated.

Abstract

Properties of the additive differential probability $\mathrm{adp}^{\mathrm{XR}}$ of the composition of bitwise XOR and a bit rotation are investigated, where the differences are expressed using addition modulo $2^n$. This composition is widely used in ARX constructions consisting of additions modulo $2^n$, bit rotations and bitwise XORs. Differential cryptanalysis of such primitives may involve maximums of $\mathrm{adp}^{\mathrm{XR}}$, where some of its input or output differences are fixed. Although there is an efficient way to calculate this probability (Velichkov et al, 2011), many of its properties are still unknown. In this work, we find maximums of $\mathrm{adp}^{\mathrm{XR}}$, where the rotation is one bit left/right and one of its input differences is fixed. Some symmetries of $\mathrm{adp}^{\mathrm{XR}}$ are obtained as well. We provide all its impossible differentials in terms of regular expression patterns and estimate the number of them. This number turns out to be maximal for the one bit left rotation and noticeably less than the number of impossible differentials of bitwise XOR.